But the people who became LulzSec, the theory goes, really were just "in it for the lulz." They wanted to improve the state of security and have fun by pulling everyone's pants down, and go back to the spirit and fun of earlier 4chan days.

"They certainly do not appear to be in it for the dollars," said Joe.

And no, the Bitcoins they've solicited over Twitter for beer don't count.

Menn and others I spoke to emphasized that nobody appears to have done deep enough reporting to say definitively who LulzSec is, or where their origins lie. Presumably, a number of FBI agents are tasked with figuring that out, at this very moment.

Security consultant and writer Rich Mogull (Twitter) agreed the brazenness of their actions suggests they're a close-knit group that is careful about how they operate. A tight core of technically skilled hackers (and these guys clearly have skills) can hide effectively. They may be people involved with, or on the edges of, the security industry.

"If they don't recruit and stick to being careful, they can probably have a good run," Rich told us over email.

Another interesting phenomenon to watch, and one which may eventually lead to some uncloaking: Anonymous, LulzSec, and various other entities keep trying to "dox" each other. "Doxing," as Joe Menn explains, means pulling together documents saying this is so-and-so's real IP address, here's their social security number... here's the school where Sony exec Howard Stringer's kids go. Right now, there are security groups trying to dox LulzSec, and LulzSec is trying to dox them back. This is how the HB Gary scandal was unspooled, and conceivably, something like this could also do LulzSec in.

Among their growing fanbase are gamers angry at Sony for being so sloppy with security, and people who just enjoy watching little-guy pranksters take on big, powerful entities that don't understand the internet well enough (or care enough about their users' privacy) to be more secure.

They may be slashing tires and harming companies by DDoSing them but in the short term future that will force those companies to reinforce their tires, something that:
1) they should have done a looong time ago
2)will protect them from further harm they might have suffered at the hand of much less scrupulous hacker groups, at much greater costs than just downtime and user passwords revealed

No, the slashed tires analogy is pretty much spot on. Except for these companies it could cost them a hundred thousand dollars as opposed to a couple hundred. Although, given the nature of LoL, Minecraft, and EVE, I’d speculate that the ‘opportunity cost” of their servers being down for 12 hours is nigh negligible.

Oh god, CCP hires contractors to wait until a ddos ends. That’s, um, to be expected, I suppose.

I’d still laugh at a ferrari or lamborghini with slashed tires though…

I still think this Lulz Sec hacking campaign will do little to make computer and network systems more secure. The fundamental realities are that security is reactive, computer and network systems are so complex that finding flaws is relatively easy and of course, humans are involved. The reason RSA got hacked is the same reason I keep cleaning out viruses from my family’s computers. No matter how many times I establish basic security rules they should follow, one person tends to break them and they infect their machine. This behavior is mimicked not only by people who use a corporation’s networks and computers, but also by sysadmins who, for one reason or another, don’t apply the latest updates, or have lax security policies so the CEO doesn’t have to go through hoops to connect to the network, or other countless reasons.

For now, attackers have the advantage and have the power to break systems (relatively) stealthily, easily and from anywhere in the world with an internet connection. Until this security paradigm changes (though new security technologies or other means), I don’t think we’ll see meaningful change.

The group itself is a annoying group, gamer enthusiasts that come home from work to play games- instead of say going out and beating the crap out of people and getting drunk- to let off steam. Some use it as a way to get rid of anger (fps, violent games) so they dont actually hurt people irl, Others use it to enjoy company with friends because irl they have hard time understanding other subjects other than games. So all they are doing is pissing off a part of society that I wouldn’t recommend – I always say if someone did make games illegal in state that there would probably be more murders, rape, and shootouts cause you took a way to let off steam.

Now as for the others sites I am have no comment to as they have no direct link to my life that I can change. Word of warning though more you expose how THE ‘US’ Internet problem is more russia will take advantage or other countries by getting hackers or hacking knowledge to take down sites for good…

so… lulzsec is doing us a disservice by taking away the distractions that allow us not be sociopaths to each other at the end of the day? If what you say is true, then we own lulzsec way more than lulz.

If our society is made up of distracted sociopaths, we’re more fucked than we would be if sony were hackable. Then again, you might just mean you.

@Ryanwoofs : yeah yeah – in all seriousness, I get you. Security breaches as a performance art can potentially serve the betterment of all. No sarcasm, I’m with you. And, mea culpa, I don’t know enough about network security to truly understand how their exploit.

From my perspective they seem like bullies. I acknowledge – and hope – that this is not so.

@HereticGestalt : much less enthusiastic ‘yeah.’ I so want to type more, but that link I got sent?

They’re more like terrorists hacking systems for “the lulz” but how funny is it when they get the balls to take all your money? When you wake up in the morning with no money and your house is gone with a note saying “ha lulz” how funny is it when you need a police officer quickly and all you get is “please hold” due to lulzsec hacking the phone lines…

Its terrorism and to be honest they should be shut down and arrested before they hit serious things. Just my opinion though…

LulzSec is just Skidsrus people, where Ryan Cleary (one of the backstabbers of the older AnonOps network) is also hosting their IRC network.
They are just irritating and annoying other people and network that are having holes in it.
They sometimes use 0-sec exploits and sometimes they already hacked it some time ago.
Some of the lulzsec guys are new but most of them are known from Skidsrus.

Maybe I’m just being a bit naive, but it seems pretty obvious who they are: a group of kids having some fun. And like all such groups from the dawn of time, they’re going to do (and have done) some things of questionable ethics and wisdom.

On the other hand, they do seem to have a sense of humor and some of their hijinks are pretty funny (unlike Anonymous, who don’t seem to have much of a sense of humor, apart from hacking the Spanish police site and shopping the GF masks onto the police).

But yea, they’ve angered some pretty determined people, so I think this will end badly for them.

I’m one of those people that had ALL there info STOLEN from Sony by LulzSec and a few days later I had money stollen from my Bank account and there are others that I’m friends with that have had the same thing happen to them after Sony got Hacked by LulzSec.
Far as I’m concerned, they are a criminal organisation that are committing identity theft and frourd and they should all be sent to jail.

But I just wanted to say that “a rabid elephant on PCP wearing a top hat rampage through a crowded market with explosive banana diarrhea” is quite possibly one of the finest phrases I have read this week.

When it was Iran and the gubmints, I was kind of nodding in approval of an unorthodox approach to promoting transparancy. Sony started to make me squirm a bit – the gamers most affected didn’t seem to do anything to warrant the action, hard to see the lulz there.

But now they’re going after, what, six guys in Sweden? A moderately successful video game website? EVE Online? I can’t help but think whatever point they’re trying to make regarding ‘big, powerful entities’ is getting badly diluted. Even Bethesda was stretching it in my most H of O’s.

Hell, isn’t Boing Boing as at risk of these merry pranksters as anyone else?

The faint whistling you hear is my enthusiasm for hacktivists steadily deflating.

I’ll just sit quietly over here and wait for someone to paraphrase Martin NiemÃ¶ller’s “First they came for…”

I have to agree Elijah. If one day it’s BB that’s down, is it not interesting anymore? And seriously – Minecraft? A cool success story of a guy who was just doing what he loves and got some mad success? There’s no big brother/government/corporation there to hate.

Ruh-roh, they ddosed a few game servers and a magazine site. Hardly of any great danger or interest. It would be lulzy if they ddosed them with the FBI botnets.

Why is the assumption that Lulzsec is disclosing all of their hacks so global or that they aren’t taking financial gain from non-disclosed hacks? While I enjoy the idea that they are interwebz freedom fightas, I think it is quite naive to ignore the possibility that lulzsec is about more than that and the lulz. Certainly, making such a public stink doesn’t lend itself to enabling them to steal identities and cash as easily as before (well, that’s the hope), but it doesn’t exclude those activities by definition.

I’ll be honest; I laughed at the cockorow hack. I’ll probably laugh if BB gets hacked by lulzsec. Then I’ll make my email password much more secure.

I don’t think LulzSec has identified themselves as hacktivists, ever. That’s kind of the point.

Yes, BB is a potential target for malfeasance, from any number of directions. We’ve been hacked before. Recently, but before that, too. We will probably be targeted again. Won’t change the fact that this story, and related stories in the spectrum of hacking/cybercrime/pranksterism are interesting.

If LulzSec is reading this: guys, we’d appreciate it if you don’t nuke us. We already know you are capable of great pwnage. Thanks.

One time, someone went down a few streets in my neighborhood, randomly slashing the tires of the cars parked in the street. I fail to see any real difference between these DDOS attacks and that act of random vandalism. The DDOS attacks are low-tech, require little more than a streak of malice, and end up costing money for people who have done nothing to the vandals. Sure, after time passes it will be seen as little more than a nuisance, but the only lesson it teaches is that there are jerks out there who will harm others merely because they are entertained by the inconvenience they cause.

One time, someone went down a few streets in my neighborhood, randomly slashing the tires of the cars parked in the street. I fail to see any real difference between these DDOS attacks and that act of random vandalism.

This is more like going down the street, checking all the car doors and leaving notes in the unlocked cars telling them to start locking their doors.

Except that these guys didn’t leave notes. They disrupted service, which required companies to spend money to investigate the disruption and find ways around it. CCP, the company that runs EVE Online, stated that they go to external sources to help them deal with this type of problem, which I take to mean they have outside contractors. They have to evaluate their system to determine if any customers’ accounts were compromised, whether credit card information was obtained, etc. So they have to pay them. This would result in actual damages for companies like CCP. Not to mention the opportunity costs of reassigning internal programmers to address the situation, when they could be developing code for expansions, improved servers, etc. On top of this, add the people who wanted to play the accounts they’ve paid for, but couldn’t because CCP shut down their servers to avert any further damage.

I recognize this is not the worst type of attack, but I would argue that it’s not just a white-hat attack to notify someone of a vulnerability.

If this was about data compromises, we can bicker metaphors forever. “Taking down the VIN of every unlocked car on the block, as well as any personal information in the glove box and posting copies of everything on every block in the house.”

That’s entirely missing it. As someone who’s had to deal with service denial in a variety of contexts, I can tell you that your argument is orthogonal to what you’re really talking about. Seriously? Mojang? Your message to Mojang is that they should be consumers of bandwidth large enough that they can dictate to their Tier 1 provider what they should null-route?

(P.S. The actual metaphor in this context is someone going down the block and letting the air out of the tires on every car. Some of them have their own pump, some of them can get a pump, some of them need to get their whole car towed, and some of them prepaid for 87 tire’s full of air and all of those escaped.)

Close but not close enough its like this, They walk down the street piss on car here, put a sticky note on it say lulz tango down, go over to another car slash the tires sticky note it saying sunk your ship lulz, finally go over to atm machine kick it few times then sticky it saying Got your accounts lulz here the are 60,000+ with passes – all you see is abc – 123 written 150 times…. As a hacking group in comparison to what they have down is pathetic plus HOW do we really know this group is responsible to the sony attack and not just saying that they did it. They may only saying they are doing this so they look cool as for ddos I dont doubt they did that because thats a simple task to do in comparison to hacking sony taking them down for while and stealing account info.

About as much as a fairly profitable small business. Or maybe an orthidontist.

Are you expecting Joe’s House of Beds (Now with 3 locations!) to invest in the same level of security as, say, your bank? Should he need to invest in that level of security just in case some group of locksmiths and burglar fetishests decide to break in and shit on all the matresses to teach him a valuable lesson about improving his security?

Or is it more reasonable to decide ‘Hey, maybe you shouldn’t go around breaking into places and shitting on the matresses?’

@Xeni : Ok, so they are not hacktivists. You never made any such claim and the inference was all mine. In defense of my word choice I was trying to put a positive spin on what they were doing by assigning them an agenda to which I was sympathetic when, admittedly, I have no idea what that would be.

Should we then assume they have no agenda? Yet they certainly seem intent on drawing a great amount of attention. How, then, are we to conceptualize them? Dada extremists?

The phrase seems needlessly weighty. Surely there’s a more colloquial terms bandied about by their targets of malfeasance.

I’m not sure you understand the meaning of “in it for the lulz.” Sometimes people do things – art and sport/play come to mind – that are not primarily driven by agendas or profit motives. You don’t have to be a “Dada extremist” to do things for no other reason than that you like to show off and be challenged and entertained, aka because you can.

Why is it so hard to imagine that LulzSec is just not in it for the Big Message? They’re funny and really good at what they do, and they keep people on their toes. It’s not really a morally apt paradigm of behavior.

More important questions are:
If a group doing this “for the lulz” can wreak so much havoc, what could a group with more malicious intent do?

We’re only hearing about these incidents because LulzSec is publishing/boasting about them. How would we otherwise know? How would the affected companies even know if they had been breached in many cases, if they can’t even maintain the most overt of data security measures?

Going after major video game companies may seem like a questionable idea, but these merely offer addictive distractions to a large amount of people who could spend their valuable time doing more productive things in life. I think LulzSec going after World of Warcraft sometime in the future would be a good idea.

So they blatantly acknowledge being closely aligned with the transdimensional Illuminati shape-shifting reptilian alien overlords, and all you people do is sit back and LAUGH?! We are SO doomed. *sigh*

Speaking as someone who has dealt with web security since my time as a local Indymedia collective site admin starting in 2003, and got 0wned by some right-wing hackers a couple of times, I can say with absolute certainty that I’m having a blast watching a lot of self-important companies get slapped with a big trout, after getting their pants pulled down.

Lulzsec is running around at breakneck speed, pretty much smashing everything they can get their hands on ’till the hammer falls on them. Now, the rich and powerful are learning what those of us who were doing this stuff years ago have learned – there are better, smarter, more agile groups out there who will embarrass the hell out of you when they get the chance.

Hey – much more damage could be done by these guys. Wiping databases, injecting malware links into random stories, loading their servers with horse porn and warez – and that’s just the stuff I’ve had to clean up in the past. These guys are operating like it’s a different era – counting coup instead of stabbing a motherf**er to death.

LulzSec is more like they punctured a bunch of tires with a chopstick, which forced the tire company to replace them with better tires to all their customers rather than continue to manufacture cheap ones that can be punctured with a chopstick. Meanwhile, you’re realizing how much you rely on having good tires and maybe you’d be less likely to just blindly give your money to the company that makes tires that can be punctured with a dull wooden instrument.